TWC: Small: Collaborative: Similary-Based Program Analyses for Eliminating Vulnerabilities

TWC：小型：协作：基于相似性的程序分析以消除漏洞

• 批准号: 1434582
• 负责人: Tao Xie
• 金额: $ 25万
• 依托单位: University of Illinois at Urbana-Champaign
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2013
• 资助国家: 美国
• 起止时间: 2013-07-01 至 2017-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1434582&HistoricalAwards=false
• 关键词: TWC; Small; Collaborative; Similary; Based

The security of critical information infrastructures depends upon effective techniques to detect vulnerabilities commonly exploited by malicious attacks. Due to poor coding practices or human error, a known vulnerability discovered and patched in one code location may often exist in many other unpatched code locations, either in the same code base or other code bases. Furthermore, patches are often error-prone, resulting in new vulnerabilities. This project develops practical techniques for detecting code-level similarity to prevent such vulnerabilities. It has the potential to help build a more reliable and secure information system infrastructure, which will have tremendous economical impact on society because of our growing reliance on information technologies.In particular, the project aims to develop practical techniques for similarity-based testing and analysis to detect unpatched vulnerable code and validate patches to the detected vulnerable code at both the source code and binary levels. To this end, it focuses on three main technical directions: (1) developing techniques for detecting source-level vulnerabilities by adapting and refining an industrial-strength tool, (2) developing capabilities of detecting binary-level vulnerabilities by extending preliminary work on detecting code clones in binaries, and (3) supporting patch validation and repair by developing methodologies and techniques to validate software patches and help produce correct, secure patches. This project helps discover new techniques for source- and binary-level vulnerability analysis and gain better understandings of the fundamental and practical challenges for building highly secure and reliable software.

关键信息基础架构的安全性取决于有效的技术，以检测恶意攻击通常利用的漏洞。由于编码实践或人为错误不佳，在一个代码位置中发现和修补的已知漏洞通常可能存在于许多其他未捕获的代码位置，无论是在同一代码库还是其他代码库中。此外，补丁通常容易出错，导致新的漏洞。该项目开发了用于检测代码级相似性以防止此类漏洞的实用技术。它有可能帮助建立更可靠，更安全的信息系统基础架构，因为我们对信息技术的依赖越来越不断增长，该基础架构将对社会产生巨大的经济影响。尤其是，该项目旨在为基于相似性的测试和分析开发实用技术，以检测未涉及的易受脆弱的代码，并在两个源代码和bary级别上验证脆弱的密码，并验证易于验证的代码。为此，它关注三个主要技术方向：（1）通过适应和完善工业强度工具来开发用于检测源水平漏洞的技术，（2）开发能够通过检测二进制漏洞的能力来检测二进制漏洞，通过在探测和修复方面进行验证和修复方法，并（3）在BINARIES和3）进行验证方面进行验证，并（3）进行修复和修复方法，并（3）进行修复和修复方法，以及3）正确，安全的补丁。该项目有助于发现用于来源和二进制级别漏洞分析的新技术，并对构建高度安全和可靠软件的基本和实用挑战获得更好的理解。